projects
/
fa-stable.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Security sql statements update against sql injection attacks.
[fa-stable.git]
/
sales
/
manage
/
sales_groups.php
diff --git
a/sales/manage/sales_groups.php
b/sales/manage/sales_groups.php
index 0fb676c6e070e611908c925c6c4cd3566cf47463..2fce1a9bb9a0305514aa7dfb6651e23dd96f2832 100644
(file)
--- a/
sales/manage/sales_groups.php
+++ b/
sales/manage/sales_groups.php
@@
-35,7
+35,7
@@
if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
{
if ($selected_id != -1)
{
{
if ($selected_id != -1)
{
- $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id =
'$selected_id'"
;
+ $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id =
".db_escape($selected_id)
;
$note = _('Selected sales group has been updated');
}
else
$note = _('Selected sales group has been updated');
}
else
@@
-57,7
+57,7
@@
if ($Mode == 'Delete')
// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master'
// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master'
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no=
'$selected_id'"
;
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no=
".db_escape($selected_id)
;
$result = db_query($sql,"check failed");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
$result = db_query($sql,"check failed");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
@@
-67,7
+67,7
@@
if ($Mode == 'Delete')
}
if ($cancel_delete == 0)
{
}
if ($cancel_delete == 0)
{
- $sql="DELETE FROM ".TB_PREF."groups WHERE id=
'" . $selected_id . "'"
;
+ $sql="DELETE FROM ".TB_PREF."groups WHERE id=
".db_escape($selected_id)
;
db_query($sql,"could not delete sales group");
display_notification(_('Selected sales group has been deleted'));
db_query($sql,"could not delete sales group");
display_notification(_('Selected sales group has been deleted'));
@@
-117,7
+117,7
@@
if ($selected_id != -1)
{
if ($Mode == 'Edit') {
//editing an existing area
{
if ($Mode == 'Edit') {
//editing an existing area
- $sql = "SELECT * FROM ".TB_PREF."groups WHERE id=
'$selected_id'"
;
+ $sql = "SELECT * FROM ".TB_PREF."groups WHERE id=
".db_escape($selected_id)
;
$result = db_query($sql,"could not get group");
$myrow = db_fetch($result);
$result = db_query($sql,"could not get group");
$myrow = db_fetch($result);